1 // Copyright 2012 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_SOCKET_SSL_CONNECT_JOB_H_ 6 #define NET_SOCKET_SSL_CONNECT_JOB_H_ 7 8 #include <stdint.h> 9 10 #include <memory> 11 #include <set> 12 #include <string> 13 #include <vector> 14 15 #include "base/memory/ref_counted.h" 16 #include "base/time/time.h" 17 #include "net/base/completion_once_callback.h" 18 #include "net/base/completion_repeating_callback.h" 19 #include "net/base/net_export.h" 20 #include "net/base/network_anonymization_key.h" 21 #include "net/base/privacy_mode.h" 22 #include "net/dns/public/host_resolver_results.h" 23 #include "net/dns/public/resolve_error_info.h" 24 #include "net/socket/connect_job.h" 25 #include "net/socket/connection_attempts.h" 26 #include "net/socket/ssl_client_socket.h" 27 #include "net/ssl/ssl_cert_request_info.h" 28 #include "net/ssl/ssl_config_service.h" 29 #include "third_party/abseil-cpp/absl/types/optional.h" 30 31 namespace net { 32 33 class HostPortPair; 34 class HttpProxySocketParams; 35 class SocketTag; 36 class SOCKSSocketParams; 37 class TransportSocketParams; 38 39 class NET_EXPORT_PRIVATE SSLSocketParams 40 : public base::RefCounted<SSLSocketParams> { 41 public: 42 enum ConnectionType { DIRECT, SOCKS_PROXY, HTTP_PROXY }; 43 44 // Exactly one of |direct_params|, |socks_proxy_params|, and 45 // |http_proxy_params| must be non-NULL. 46 SSLSocketParams(scoped_refptr<TransportSocketParams> direct_params, 47 scoped_refptr<SOCKSSocketParams> socks_proxy_params, 48 scoped_refptr<HttpProxySocketParams> http_proxy_params, 49 const HostPortPair& host_and_port, 50 const SSLConfig& ssl_config, 51 PrivacyMode privacy_mode, 52 NetworkAnonymizationKey network_anonymization_key); 53 54 SSLSocketParams(const SSLSocketParams&) = delete; 55 SSLSocketParams& operator=(const SSLSocketParams&) = delete; 56 57 // Returns the type of the underlying connection. 58 ConnectionType GetConnectionType() const; 59 60 // Must be called only when GetConnectionType() returns DIRECT. 61 const scoped_refptr<TransportSocketParams>& GetDirectConnectionParams() const; 62 63 // Must be called only when GetConnectionType() returns SOCKS_PROXY. 64 const scoped_refptr<SOCKSSocketParams>& GetSocksProxyConnectionParams() const; 65 66 // Must be called only when GetConnectionType() returns HTTP_PROXY. 67 const scoped_refptr<HttpProxySocketParams>& GetHttpProxyConnectionParams() 68 const; 69 host_and_port()70 const HostPortPair& host_and_port() const { return host_and_port_; } ssl_config()71 const SSLConfig& ssl_config() const { return ssl_config_; } privacy_mode()72 PrivacyMode privacy_mode() const { return privacy_mode_; } network_anonymization_key()73 const NetworkAnonymizationKey& network_anonymization_key() const { 74 return network_anonymization_key_; 75 } 76 77 private: 78 friend class base::RefCounted<SSLSocketParams>; 79 ~SSLSocketParams(); 80 81 const scoped_refptr<TransportSocketParams> direct_params_; 82 const scoped_refptr<SOCKSSocketParams> socks_proxy_params_; 83 const scoped_refptr<HttpProxySocketParams> http_proxy_params_; 84 const HostPortPair host_and_port_; 85 const SSLConfig ssl_config_; 86 const PrivacyMode privacy_mode_; 87 const NetworkAnonymizationKey network_anonymization_key_; 88 }; 89 90 // SSLConnectJob establishes a connection, through a proxy if needed, and then 91 // handles the SSL handshake. It returns an SSLClientSocket on success. 92 class NET_EXPORT_PRIVATE SSLConnectJob : public ConnectJob, 93 public ConnectJob::Delegate { 94 public: 95 class NET_EXPORT_PRIVATE Factory { 96 public: 97 Factory() = default; 98 virtual ~Factory() = default; 99 100 virtual std::unique_ptr<SSLConnectJob> Create( 101 RequestPriority priority, 102 const SocketTag& socket_tag, 103 const CommonConnectJobParams* common_connect_job_params, 104 scoped_refptr<SSLSocketParams> params, 105 ConnectJob::Delegate* delegate, 106 const NetLogWithSource* net_log); 107 }; 108 109 // Note: the SSLConnectJob does not own |messenger| so it must outlive the 110 // job. 111 SSLConnectJob(RequestPriority priority, 112 const SocketTag& socket_tag, 113 const CommonConnectJobParams* common_connect_job_params, 114 scoped_refptr<SSLSocketParams> params, 115 ConnectJob::Delegate* delegate, 116 const NetLogWithSource* net_log); 117 118 SSLConnectJob(const SSLConnectJob&) = delete; 119 SSLConnectJob& operator=(const SSLConnectJob&) = delete; 120 121 ~SSLConnectJob() override; 122 123 // ConnectJob methods. 124 LoadState GetLoadState() const override; 125 bool HasEstablishedConnection() const override; 126 127 // ConnectJob::Delegate methods. 128 void OnConnectJobComplete(int result, ConnectJob* job) override; 129 void OnNeedsProxyAuth(const HttpResponseInfo& response, 130 HttpAuthController* auth_controller, 131 base::OnceClosure restart_with_auth_callback, 132 ConnectJob* job) override; 133 ConnectionAttempts GetConnectionAttempts() const override; 134 ResolveErrorInfo GetResolveErrorInfo() const override; 135 bool IsSSLError() const override; 136 scoped_refptr<SSLCertRequestInfo> GetCertRequestInfo() override; 137 138 // Returns the timeout for the SSL handshake. This is the same for all 139 // connections regardless of whether or not there is a proxy in use. 140 static base::TimeDelta HandshakeTimeoutForTesting(); 141 142 private: 143 enum State { 144 STATE_TRANSPORT_CONNECT, 145 STATE_TRANSPORT_CONNECT_COMPLETE, 146 STATE_SOCKS_CONNECT, 147 STATE_SOCKS_CONNECT_COMPLETE, 148 STATE_TUNNEL_CONNECT, 149 STATE_TUNNEL_CONNECT_COMPLETE, 150 STATE_SSL_CONNECT, 151 STATE_SSL_CONNECT_COMPLETE, 152 STATE_NONE, 153 }; 154 155 void OnIOComplete(int result); 156 157 // Runs the state transition loop. 158 int DoLoop(int result); 159 160 int DoTransportConnect(); 161 int DoTransportConnectComplete(int result); 162 int DoSOCKSConnect(); 163 int DoSOCKSConnectComplete(int result); 164 int DoTunnelConnect(); 165 int DoTunnelConnectComplete(int result); 166 int DoSSLConnect(); 167 int DoSSLConnectComplete(int result); 168 169 // Returns the initial state for the state machine based on the 170 // |connection_type|. 171 static State GetInitialState(SSLSocketParams::ConnectionType connection_type); 172 173 // Starts the SSL connection process. Returns OK on success and 174 // ERR_IO_PENDING if it cannot immediately service the request. 175 // Otherwise, it returns a net error code. 176 int ConnectInternal() override; 177 178 void ResetStateForRestart(); 179 180 void ChangePriorityInternal(RequestPriority priority) override; 181 182 scoped_refptr<SSLSocketParams> params_; 183 184 State next_state_; 185 CompletionRepeatingCallback callback_; 186 std::unique_ptr<ConnectJob> nested_connect_job_; 187 std::unique_ptr<StreamSocket> nested_socket_; 188 std::unique_ptr<SSLClientSocket> ssl_socket_; 189 190 // True once SSL negotiation has started. 191 bool ssl_negotiation_started_ = false; 192 193 // True if legacy crypto should be disabled for the job's current connection 194 // attempt. On error, the connection will be retried with legacy crypto 195 // enabled. 196 bool disable_legacy_crypto_with_fallback_ = true; 197 198 scoped_refptr<SSLCertRequestInfo> ssl_cert_request_info_; 199 200 ConnectionAttempts connection_attempts_; 201 ResolveErrorInfo resolve_error_info_; 202 // The address of the server the connect job is connected to. Populated if 203 // and only if the connect job is connected *directly* to the server (not 204 // through an HTTPS CONNECT request or a SOCKS proxy). 205 IPEndPoint server_address_; 206 207 // Any DNS aliases for the remote endpoint. Includes all known aliases, e.g. 208 // from A, AAAA, or HTTPS, not just from the address used for the connection, 209 // in no particular order. Stored because `nested_connect_job_` has a limited 210 // lifetime and the aliases can no longer be retrieved from there by by the 211 // time that the aliases are needed to be passed in SetSocket. 212 std::set<std::string> dns_aliases_; 213 214 // The endpoint result used by `nested_connect_job_`. Stored because 215 // `nested_connect_job_` has a limited lifetime. 216 absl::optional<HostResolverEndpointResult> endpoint_result_; 217 218 // If not `absl::nullopt`, the ECH retry configs to use in the ECH recovery 219 // flow. `endpoint_result_` will then contain the endpoint to reconnect to. 220 absl::optional<std::vector<uint8_t>> ech_retry_configs_; 221 }; 222 223 } // namespace net 224 225 #endif // NET_SOCKET_SSL_CONNECT_JOB_H_ 226